In August, a ransomware group claimed to have compromised a U.K. water utility’s industrial control systems (ICS). Although the attack did not impact the utility’s ability to provide safe drinking water, it nevertheless underscores the risk of threat actors attempting to gain access to ICS environments. Consequently, Microsoft recently published guidance on securing IoT devices used by critical infrastructure organizations.
Microsoft researchers have previously observed threat activity relating to internet-exposed IoT devices across different industries, which could be used as a potential foothold into operational technology (OT) networks. Threat actors can also gain access by deploying malware on information technology (IT) systems and then crossing the boundary to the OT part of the network to target high-value operational assets, or by compromising unmanaged, usually less secure IoT and OT devices. Indeed, WaterISAC has previously reported on Russian threat actors successfully gaining access to organizations through unsecured IoT devices.
IoT devices, moreover, are used by organizations across critical infrastructure sectors and offer significant value. However, IoT devices in critical infrastructure networks, if not properly secured, increase the risk of unauthorized access to operational assets and networks. According to Microsoft, “Improper configurations such as default credentials and unpatched vulnerabilities are often abused by threat actors to gain network or device access. Once access is established, attackers could identify other assets on the same network, perform reconnaissance, and plan large-scale attacks on sensitive equipment and devices.” For example, in June, WaterISAC covered a report by Forescout’s Vedere Labs analyzing the potential for ransomware attacks against IoT devices propagating to OT assets.
Additionally, WaterISAC’s September Cyber Threat Briefing provided important tips and recommendations for securing organizations’ IoT devices. Lastly, Microsoft offers four overarching recommendations for securing IoT devices, which include adopting a comprehensive IoT and OT security solution, enabling vulnerability assessments, reducing the attack surface, and increasing network security. Read more at Microsoft.